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Abstract 


This memo proposes several elliptic curve domain parameters over 
finite prime fields for use in cryptographic applications. The 
domain parameters are consistent with the relevant international 
standards, and can be used in X.509 certificates and certificate 
revocation lists (CRLs), for Internet Key Exchange (IKE), Transport 
Layer Security (TLS), XML signatures, and all applications or 
protocols based on the cryptographic message syntax (CMS). 
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1. Introduction 


Although several standards for elliptic curves and domain parameters 
exist (e.g., [ANSI1], [FIPS], or [SEC2]), some major issues have 
still not been addressed: 


o Not all parameters have been generated in a verifiably pseudo- 
random way. In particular, the seeds from which the curve 
parameters were derived have been chosen ad hoc, leaving out an 
essential part of the security proof. 


o The primes selected for the base fields have a very special form 
facilitating efficient implementation. This does not only 
contradict the approach of pseudo-random parameters, but also 
increases the risk of implementations violating one of the 
numerous patents for fast modular arithmetic with special primes. 


o No proofs are provided that the proposed parameters do not belong 
to those classes of parameters that are susceptible to 
cryptanalytic attacks with sub-exponential complexity. 


o Recent research results seem to indicate a potential for new 
attacks on elliptic curve cryptosystems. At least for 
applications with the highest security demands or under 
circumstances that complicate a change of parameters in response 
to new attacks, the inclusion of a corresponding security 
requirement for domain parameters (the class group condition, see 
Section 2) is justified. 


o Some of the proposed subgroups have a non-trivial cofactor, which 
demands additional checks by cryptographic applications to prevent 
small subgroup attacks (see [ANSI1] or [SEC1]). 


o The domain parameters specified do not cover all bit lengths that 
correspond to the commonly used key lengths for symmetric 
cryptographic algorithms. In particular, there is no 512-bit 
curve defined, but only one with a 521-bit length, which may be 
disadvantageous for some implementations. 


Furthermore, many of the parameters specified by the existing 
standards are identical (see [SEC2] for a comparison). Thus, there 
is still a need for additional elliptic curve domain parameters that 
overcome the above limitations. 
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1.1. Scope and Relation to Other Specifications 


This RFC specifies elliptic curve domain parameters over prime fields 
GF(p) with p having a length of 160, 192, 224, 256, 320, 384, and 512 
bits. These parameters were generated in a pseudo-random, yet 
completely systematic and reproducible, way and have been verified to 
resist current cryptanalytic approaches. The parameters are 
compliant with ANSI X9.62 [ANSI1] and ANSI X9.63 [ANSI2], ISO/IEC 
14888 [1501] and ISO/IEC 15946 [ISO2], ETSI TS 102 176-1 [ETSI], as 
well as with FIPS-186-2 [FIPS], and the Efficient Cryptography Group 
(SECG) specifications ([SEC1] and [SEC2]). 


Furthermore, this document identifies the security and implementation 
requirements for the parameters, and describes the methods used for 
the pseudo-random generation of the parameters. 


Finally, this RFC defines ASN.1 object identifiers for all elliptic 
curve domain parameter sets specified herein, e.g., for use in X.509 
certificates. 


This document does neither address the cryptographic algorithms to be 
used with the specified parameters nor their application in other 
standards. However, it is consistent with the following RFCs that 
specify the usage of elliptic curve cryptography in protocols and 
applications: 
o [RFC5753] for the cryptographic message syntax (CMS) 
o [RFC3279] and [RFC5480] for X.509 certificates and CRLs 
o [RFC4050] for XML signatures 
o [RFC4492] for TLS 
O [RFC4754] for IKE 

1.2. Requirements Language 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOI", 


"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in RFC 2119 [RFC2119]. 


2. Requirements on the Elliptic Curve Domain Parameters 


Throughout this memo, let p > 3 be a prime and GF (p) a finite field 
(sometimes also referred to as Galois Field or GF (p)) with p 

elements. For given A and B with non-zero 4*A“3 + 27*B*2 mod p, the 
set of solutions (x,y) for the equation E: y“2 = x^3 + A*x + B mod p 
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over GF(p) together with a neutral element O and well-defined laws 
for addition and inversion define a group E(GF(p)) -- the group of 
GF(p) rational points on E. Typically, for cryptographic 

applications, an element G of prime order q is chosen in E(GF(p)). 


A comprehensive introduction to elliptic curve cryptography can be 
found in [CFDA] and [BSS]. 


Note 1: We choose {0,...,p-1} as a set of representatives for the 
elements of GF(p). This choice induces a natural ordering on GF(p). 
2.1. Security Requirements 


The following security requirements are either motivated by known 
cryptographic analysis or aim to enhance trust in the recommended 
curves. As this specification aims at a particularly high level of 
security, a restrictive position is taken here. Nevertheless, it may 
be sensible to slightly deviate from these requirements for certain 
applications (e.g., in order to achieve higher computational 
performance). More details on requirements for cryptographically 
strong elliptic curves can be found in [CFDA] and [BSS]. 


1. Immunity to attacks using the Weil or Tate Pairing. These 
attacks allow the embedding of the cyclic subgroup generated by G 
into the group of units of a degree-1 extension GF (p*1) of GF(p), 
where sub-exponential attacks on the discrete logarithm problem 
(DLP) exist. Here we have 1 = minft | q divides p^t - 1}, i.e., 
l is the order of p mod q. By Fermat’s Little Theorem, 1 divides 
a-1. We require (q-1)/1 < 100, which means that 1 is close to 
the maximum possible value. This requirement is considerably 
stronger than those of [SEC2] and [ANSI2] and also excludes 
supersingular curves, as those are the curves of order p+l. 


2. The trace is not equal to one. Trace one curves (or anomalous 
curves) are curves with #E(GF(p)) = p. Satoh and Araki [SA], 
Semaev [Sem], and Smart [Sma] independently proposed efficient 
solutions to the elliptic curve discrete logarithm problem 
(ECDLP) on trace one curves. Note that these curves are also 
excluded by requirement 5 of Section 2.2. 


3. Large class number. The class number of the maximal order of the 
quotient field of the endomorphism ring End(E) of E is larger 
than 10^7. Generally, E cannot be "lifted" to a curve E” over an 
algebraic number field L with End(E) = End(E’) unless the degree 
of L over the rationals is larger than the class number of 
End(E). Although there are no efficient attacks exploiting a 


small class number, recent work ([JMV] and [HR]) also may be seen 
as argument for the class number condition. 
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4. Prime group order. The group order #E(GF(p)) shall be a prime 
number in order to counter small-subgroup attacks (see [HMV]). 
Therefore, all groups proposed in this RFC have cofactor 1. Note 
that curves with prime order have no point of order 2 and 
therefore no point with y-coordinate 0. 


5. Verifiably pseudo-random. The elliptic curve domain parameters 
shall be generated in a pseudo-random manner using seeds that are 
generated in a systematic and comprehensive way. The methods by 
which the parameters have been obtained are explained in Appendix 
A. 


6. Proof of security. For all curves, a proof should be given that 
all security requirements are met. These proofs are provided in 
[EBP]. 


In [BG], attacks are described that apply to elliptic curve domain 
parameters where q-1 has a factor u in the order of q” (1/3). 
However, the circumstances under which these attacks are applicable 
can be avoided in most applications. Therefore, no corresponding 
security requirement is stated here. However, it is highly 
recommended that developers verify the security of their 
implementations against this kind of attack. 


2.2. Technical Requirements 


Commercial demands and experience with existing implementations lead 
to the following technical requirements for the elliptic curve domain 
parameters. 


1. For each of the bit lengths 160, 192, 224, 256, 320, 384, and 
512, one curve shall be proposed. This requirement follows from 
the need for curves providing different levels of security that 
are appropriate for the underlying symmetric algorithms. The 
existing standards specify a 521-bit curve instead of a 512-bit 
curve. 


2. The prime number p shall be congruent 3 mod 4. This requirement 
allows efficient point compression: one method for the 
transmission of curve points P=(x,y) is to transmit only x and 
the least significant bit LSB(y) of y. For p = 3 mod 4, we get 
(y*2)*((pt1)/4) = y*y” ((p-1)/2), which is either y or -y by 
Fermat’s Little Theorem; hence, y can be computed very 
efficiently using the curve equation. This requirement is not 
always met by the parameters defined in existing standards. 
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3. The curves shall be GF(p)-isomorphic to a curve E’: y?2 = x*3 + 
A'*x + B’ mod p with A’ = -3 mod p. This property permits the 
use of the arithmetical advantages of curves with A = -3, as 
shown by Brier and Joyce [BJ]. For p = 3 mod 4, approximately 
half of the isomorphism classes of elliptic curves over GF(p) 
contain a curve E’ with A’ = -3 mod p. Precisely, if a curve is 
given by E: y*2 = x*3 + A*x + B mod p with -3 = A*u“4 being 
solvable in GF(p) and u=Z is a solution to this equation, then 
the requirement is fulfilled by means of the quadratic twist E’: 
y^2 = x*3 + Z^4*A*x + Z^6*B mod p, and the GF (p)-isomorphism is 
given by F(x,y) := (x*2*2, y*Z^3). Due to this isomorphism, 
E(GF(p)) and E’ (GF (p)) have the same number of points, share the 
same algebraic structure, and hence offer the same level of 
security. This constraint has also been used by [SEC2] and 
[FIPS]. 


4. The prime p must not be of any special form; this requirement is 
met by a verifiably pseudo-random generation of the parameters 
(see requirement 5 in Section 2.1). Although parameters 
specified by existing standards do not meet this requirement, the 
need for such curves over (pseudo-)randomly chosen fields has 
already been foreseen by the Standards for Efficient Cryptography 
Group (SECG), see [SEC2]. 


5. #E(GF(p)) < p. As a consequence of the Hasse-Weil Theorem, the 
number of points #E(GF(p)) may be greater than the characteristic 


p of the prime field GF(p). In some cases, even the bit-length 
of #E(GF(p)) can exceed the bit-length of p. To avoid overruns 
in implementations, we require that #E(GF(p)) < p. In order to 


thwart attacks on digital signature schemes, some authors propose 
to use q > p, but the attacks described, e.g., in [BRS], appear 
infeasible in a well-designed Public Key Infrastructure (PKI). 


6. B shall be a non-square mod p. Otherwise, the compressed 
representations of the curve-points (0,0) and (0,X), with X being 
the square root of B with a least significant bit of 0, would be 
identical. As there are implementations of elliptic curves that 
encode the point at infinity as (0,0), we try to avoid 
ambiguities. Note that this condition is stable under quadratic 
twists as described in condition 3 above. Condition 6 makes the 
attack described in [G] impossible. It can therefore also be 
seen as a security requirement. This constraint has not been 
specified by existing standards. 
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3. Domain Parameter Specification 


In this section, the elliptic curve domain parameters proposed are 
specified in the following way. 


For all curves, an ID is given by which it can be referenced. 
p is the prime specifying the base field. 


A and B are the coefficients of the equation y*2 = x^3 + A*x + B 
mod p defining the elliptic curve. 


G = (x,y) is the base point, i.e., a point in E of prime order, 
with x and y being its x- and y-coordinates, respectively. 


q is the prime order of the group generated by G. 
h is the cofactor of G in E, i.e., #E(GF(p))/q. 


For the twisted curve, we also give the coefficient Z that defines 
the isomorphism F (see requirement 3 in Section 2.2). 


The methods for the generation of the parameters are given in 
Appendix A. Proofs for the fulfillment of the security requirements 
specified in Section 2.1 are given in [EBP]. 


3.1. Domain Parameters for 160-Bit Curves 


Curve-ID: brainpoolP160r1 


D E95E4A5F737059DC60DFC7AD95B3D8139515620F 


A = 340E7BE2A280EB74E2BE61BADA745D97E8F7C300 


w 
ll 


1E589A8595423412134FAA2DBDEC95C8D8 6 51 


D 


58 


x = BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3 


1667CB477A1A8EC338F94741669C976316DA6321 


< 
ll 


q = E95E4A5F737059DC60DF5991D45029409E60FC09 
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#Twisted curve 
Curve-ID: brainpoolP160t1 


Z = 24DBFF5DEC9B98 6BBFE52 95A2 9BFBAE4 5E0F5D0B 


A = E95E4A5F737059DC60DFC7AD95B3D8139515620C 


B = 7A556B6DAE535B7B51ED2C4D7DAA7TA0B5C55F380 


x = B199B13B9B34EFC1397E64BAEBO5ACC265FF2378 


y = ADD6718B7C7C1961F0991B842443772152C9E0AD 
q = E95E4A5F737059DC60DF5991D45029409E60FC09 
h = 1 
3.2. Domain Parameters for 192-Bit Curves 
Curve-ID: brainpoolP192r1 
p = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297 
A = 6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF 


B = 469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9 


x = COA0647EAAB6A18753B033C56CB0F0900A2F5C4853375FD6 


y = 14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F 
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1 
h = 1 

#Twisted curve 

Curve-ID: brainpoolP192t1 
Z = 1B6F5CC8DB4DC7AF19458A9CB80DC2295E5EB9C3732104CB 
A = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294 
B = 13D56FFAEC78681E68F 9DEB43B35BEC2FB68542E27897B79 


x = 3AE9E58C82F63C30282ElFE7BBF43FA72C446AF6F4618129 
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y = 097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCCO1C9 


q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1 
h = 1 
3.3. Domain Parameters for 224-Bit Curves 


Curve-ID: brainpoolP224r1 


p = D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF 


A = 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43 


B = 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B 


x = 0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D 
y = 58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD 
q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F 
h = 1 

#Twisted curve 

Curve-ID: brainpoolP224t1 
Z = 2DF271E14427A346910CF7A2E6CFA7B3F484E5C2CCE1C8B730E28B3F 
A = D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC 


B = 4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D 


x = 6AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D580 


y = 0374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C 
q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F 


h = 1 
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3.4. Domain Parameters for 256-Bit Curves 
Curve-ID: brainpoolP256r1 


p = 
A9FB57DBA1EEA9BC3E660A90 9D838D72 6E3BF 623D52620282013481D1F6E5377 


A= 
7D5A0975FC2C3057EEF 6753041 7AFFE7FB8055C126DC5C6CE94A4B44F330B5D9 


B= 
2 6DC5C6CE94A4B44F330B5D9BBD77CBF 9584162 95CF7E1CE6BCCDC18FF8C07B6 


x = 
8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262 


y = 
54 7EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997 


q= 
A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7 


h = 1 
#Twisted curve 
Curve-ID: brainpoolP256t1 


Z = 
3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0 


A= 
A9FB57DBA1EEA9BC3E660A90 9D838D72 6E3BF623D52620282013481D1F6E5374 


B= 
662C61C430D8 4EA4FE66A7733D0B7 6B7BF 93EBC4AF 2F 4925 6AE58101FEE92B04 


x = 
A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4 


yr 
2D996C823439C56D7F"71B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE 


q= 
A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7 


h = 1 
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3.5. Domain Parameters for 320-Bit Curves 
Curve-ID: brainpoolP320r1 


p = D35E472036BC4FB7E13C785ED201E065F98FCFA6F 6F 40DEF 4F 92B9EC78 93EC 
28FCD412B1F1B32E27 


A = 3EE30B568FBABOF883CCEBD46D3F3BB8A2A73513F5EB79DA66190EBO85FFA9 
F492F375A97D860EB4 


B = 520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539 
816F5EB4AC8FB1F1A6 


x = 43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599 
C710AF8DOD39E20611 


y = 14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6A 
C7D35245D1692E8EE1 


q = D35E472036BC4FB7E13C785ED201E065F 98FCFA5B68F12A32D482EC7EE8658 
E98691555B44C59311 


h = 1 
#Twisted curve 
Curve-ID: brainpoolP320t1 


Z = 15F75CAF668077F7E85B42EB01F0A81FF56ECD6191D55CB82B7D861458A18F 
EFC3E5AB7496F3C7B1 


= D35E472036BC4FB7E13C785ED201E065F98FCFA6F 6F40DEF4F92B9EC7893EC 
28FCD412B1F1B32E24 


B = A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547 
CEB5B4FEF422340353 


x = 925BE9FBO1AFC6FB4D3E7D4990010F813408AB106C4F09CB7EE07868CC136F 
FF3357F624A21BED52 


y = 63BA3A7A27483EBF 6671DBEF7ABB30EBEE084E58A0B077AD42A5A0 98 9D1EE7 
1B1B9BC0455FB0D2C3 


q = D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658 
E98691555B44C59311 


h = 1 
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3% 


6. 


Domain Parameters for 384-Bit Curves 


Curve-ID: brainpoolP384r1 


p = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711 
23ACD3A729901D1A71874700133107EC53 


A = 7BC382C63D8C150C3C72080ACEO5AFAOC2BEA28E4FB22787139165EFBA91F9 
0F8AA5814A503AD4EB04A8C7DD22CE2826 


B = 04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62 
D57CB4390295DBC9943AB78696FA504C11 


x = 1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E7 7EF14FE3DB7FCAFEOCBD10 
E8E826E03436D646AAEF87B2E247D4AF1E 


y = 8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF 99129 
280E4646217791811142820341263C5315 


q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425 
ATCF3AB6AF6B7FC3103B883202E9046565 


h = 1 


#Twisted curve 


Curve-ID: brainpoolP384t1 


Z = 41DFE8DD399331F7166A66076734A8 9CD0D2BCDB7D0 68E44E1F378F41ECBAE 
97D2D63DBC87BCCDDCCC5DA3 9E8589291C 


A = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711 
23ACD3A729901D1A71874700133107EC50 


B = 7F519EADA7BDA81BD826DBA647910F8C4B934 6ED8CCDC64E4B1ABD11756DCE 
1D2074AA2 63B88805CED70355A33B471EE 


x = 18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AAB 
FFC4FF191B946A5F54D8D0AA2F418808CC 


y = 25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CC 
FE469408584DC2B2912675BF5B9E582928 


q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425 
ATCF3AB6AF6B7FC3103B883202E9046565 


h= 1 
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3- 


7. 


Domain Parameters for 512-Bit Curves 


Curve-ID: brainpoolP512r1 


p = AADD9DB8DBE9C48B3FD4E6AE33C9FC0O7CB308DB3B3C9D20ED6639CCA703308 
717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3 


A = 7830A3318B603B89E2327145AC234CC594CBDD8D3DF 91610A83441CAEA98 63 
BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA 


B = 3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117 
A72BF2C7B9E7C1AC4D77FC94CADCO083E67984050B75EBAE5DD2809BD638016F723 


x = 81lAEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009 
8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D504740 6A5E688B352209BCBIF822 


y = 7DDE385D566332ECCOEABFA9SCF7822FDF209F70024A57B1AA000C55B881F81 
11B2DCDE4 94A5F4 8 5E5BCA4BD8 8A27 63AED1CA2B2FA8F0540678CD1LEOF3AD808 92 


q = AADD9DB8DBE9C48B3FD4E6AE33C9FC0O7CB308DB3B3C9D20ED6639CCA703308 
70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069 


h= 1 


#Twisted curve 


Curve-ID: brainpoolP512t1 


Z = 12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B 
64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBASEEBOF35DBD2 9D922AB 


A = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308 
717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0 


B = 7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36 
A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E 


x = 640ECE5C12788717B9C1BA0 6CBC2A6FEBA85842458C56DDE9DB1758D39C031 
3D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9O35DA 


T 


y = 5B534BD595F5AFOFA2C892376C84ACE1BB4E3019B71634C01131159CAE03CE 
E9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332 


q = AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308 
70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069 


h= 1 
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4. Object Identifiers and ASN.1 Syntax 


4.1. 


Object Identifiers 


ECC Brainpool Standard Curves & Curve Generation 


March 2010 


The root of the tree for the object identifiers defined in this 


specification is given by: 


ecStdCurvesAndGeneration OBJECT IDENTIFIER: := 
identified-organization (3) 
ecSign (2) 


algorithm (3) 


8} 


teletrust (36) 


{iso (1) 
algorithm (3) 


signature- 


The object identifier ellipticCurve represents the tree for domain 


parameter sets. 


ellipticCurve OBJECT IDENTIFIER 


It has the following value: 


{ecStdCurvesAndGeneration 1} 


The tree containing the object identifiers for each set of domain 
parameters defined in this RFC is: 


versionOne OBJECT IDENTIFIER ::= 


{ellipticCurve 1} 


The following object identifiers represent the domain parameter sets 
defined in this RFC: 


Lochter & Merkle 


brainpoolP160r1 OBJECT IDENTIFIER = {versionOne 1} 
brainpoolP160t1 OBJECT IDENTIFIER = {versionOne 2} 
brainpoolP192r1 OBJECT IDENTIFIER = {versionOne 3} 
brainpoolP192t1 OBJECT IDENTIFIER = {versionOne 4} 
brainpoolP224r1 OBJECT IDENTIFIER = {versionOne 5} 
brainpoolP224t1 OBJECT IDENTIFIER = {versionOne 6} 
brainpoolP256r1 OBJECT IDENTIFIER = {versionOne 7} 
brainpoolP256t1 OBJECT IDENTIFIER = {versionOne 8} 
brainpoolP320r1 OBJECT IDENTIFIER = {versionOne 9} 
brainpoolP320t1 OBJECT IDENTIFIER ::= {versionOne 10} 
brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} 
brainpoolP384t1 OBJECT IDENTIFIER ::= {versionOne 12} 
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brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} 


brainpoolP512t1 OBJECT IDENTIFIER 


{versionOne 14} 


4.2. ASN.1 Syntax for Usage with X.509 Certificates 


The domain parameters specified in this RFC SHALL be used with X.509 
certificates in accordance with [RFC5480]. In particular, 


o the algorithm field of subjectPublicKeyInfo MUST be set to: 


* id-ecPublicKey, if the algorithms that can be used with the 
subject public key are not restricted, or 


* id-ecDH to restrict the usage of the subject public key to 
Elliptic Curve Diffie-Hellman (ECDH) key agreement, or 


* id-ecMQV to restrict the usage of the subject public key to 
Elliptic Curve Menezes-Qu-Vanstone (ECMOV) key agreement, and 


o the field algorithm.parameter of subjectPublicKeyInfo MUST be of 
type: 


* namedCurve to specify the domain parameters by one of the 
Object Identifiers (OIDs) defined in Section 4.1, or 


* specifiedCurve to specify the domain parameters explicitly as 
defined in [RFC5480], or 


* implicitCurve, if the domain parameters are found in an 
issuer’s certificate. 


If the domain parameters are explicitly specified using the type 
specifiedCurve in the field algorithm.parameter of 
subjectPublicKeyInfo, ANSI X9.62 [ANSI1] and [RFC5480] allow 
indicating whether or not a curve and base point have been generated 
verifiably in a pseudo-random way. Although the parameters specified 
in Section 3 have all been generated by the pseudo-random methods 
described in Appendix A, these algorithms deviate from those mandated 
in ANSI X9.62, A.3.3.1. Consequently, applications following ANSI 
X9.62 or [RFC5480] will not be able to verify the pseudo-randomness 
of the parameters. In order to avoid rejection of the parameters, 
the ASN.1 encoding SHOULD NOT specify that the curve or base point 
has been generated verifiably at random. In particular, 
certification authorities (CAs) SHOULD set the contents of 
specifiedCurve in the following way: 


o version is set to ecpVerl (1). 
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o fieldId includes the fieldType prime-field and as parameter the 
value p of the selected domain parameters as specified in Section 
3; 


o curve includes the values a and b of the selected domain 
parameters as specified in Section 3, but seed is absent. 


o base is the octet string representation of the base point G of the 
selected domain parameters as specified in Section 3. 


o order is set to q of the selected domain parameters as specified 
in Section 3. 


o cofactor is set to 1. 
o hash is absent. 

5. Security Considerations 
The level of security provided by symmetric ciphers and hash 
functions used in conjunction with the elliptic curve domain 
parameters specified in this RFC should roughly match or exceed the 
level provided by the domain parameters. The following table 


indicates the minimum key sizes for symmetric ciphers and hash 
functions providing at least (roughly) comparable security. 
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+-------------------- +-------------------- +------------------------- + 

| elliptic curve | minimum length of | hash functions | 

| domain parameters | symmetric keys | 

+-------------------- +-------------------- $ + 

| brainpoolP160r1 | 80 | SHA-1, SHA-224, 

| | | SHA-256, SHA-384, | 

| | | SHA-512 | 

| | | | 
brainpoolP192r1 96 SHA-224, SHA-256, 

SHA-384, SHA-512 

| | | | 

| brainpoolP224r1 | 112 | SHA-224, SHA-256, 

| | | SHA-384, SHA-512 | 

| | | | 

| brainpoolP256r1 | 128 | SHA-256, SHA-384, 

| | | SHA-512 | 

| brainpoolP320r1 | 160 | SHA-384, SHA-512 

| | | | 

| brainpoolP384r1 | 192 | SHA-384, SHA-512 

| | | | 

| brainpoolP512r1 | 256 | SHA-512 

+-------------------- $ ooo +------------------------- + 

Table 1 


Security properties of the elliptic curve domain parameters specified 
in this RFC are discussed in Section 2.1. Further security 
discussions specific to elliptic curve cryptography can be found in 
[ANSI1] and [SEC1]. 


6. Intellectual Property Rights 


The authors have no knowledge about any intellectual property rights 
that cover the usage of the domain parameters defined herein. 
However, readers should be aware that implementations based on these 
domain parameters may require use of inventions covered by patent 


rights. 
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Appendix A. Pseudo-Random Generation of Parameters 


In this appendix, the methods used for pseudo-random generation of 
the elliptic curve domain parameters are described. A comprehensive 
description is given in [EBP]. 


Throughout this section the following conventions are used: 


The conversion between integers x in the range 0 <= x <= 2°L - 1 and 
bit strings of length L is given by x <--> {x_l,...,x_L} and the 
binary expansion 

x ser SL 2 (Lead) 3x2 E 2% (L=2) + eg Fx (L-1)*+2+x2Eb, ¿0% the 
first bit of the bit string corresponds to the most significant bit 
of the corresponding integer and the last bit to the least 
significant bit. 


For a real number x, let floor(x) denote the highest integer less 
than or equal to x. 


For updating the seed s of 160-bit length we use the following 
function update seed (asi: 


1. Convert s to an integer z. 
2. Convert (z+1) mod 2160 to a bit string t and output t. 

A.l. Generation of Prime Numbers 
This section describes the systematic selection of the base fields 
GF (p) proposed in this specification. The prime generation method is 
similar to the method given in FIPS 186-2 [FIPS], Appendix 6.4, and 
ANSI X9.62 [ANSI1], A.3.2. It is a modification of the method 


"incremental search" given in Section 8.2.2 of [ISO3]. 


For computing an integer x in the range 0 <= x <= 2%*L - 1 from a seed 
s of 160-bit length, we use the following algorithm find integer(s): 


1. Set v = floor((L-1)/160) and w = L - 160*v. 
2. Compute h = SHA-1 (s). 


3. Let h_0 be the bit string obtained by taking the w rightmost bits 


of h. 
4. Convert s to an integer z. 
5. For i from 1 to v do: 
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6. 


7. 


A. Set z_i = (z+i) mod 2160. 
B. Convert z_i to a bit string s_i. 


C. Set h_i = SHA-1(s_i). 
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Let h be the string obtained by the concatenation of h_0,...,h_v 


from left to right. 


Convert h to an integer x and output x. 


The following procedure is used to generate an L bit prime p from a 
160-bit seed s. 


Set c = find integer(s). 


Let p be the smallest prime p >= c with p 


If 2*(L-1) <= p <= 2°L - 1 output p and stop. 


Set s = update_seed(s) and go to Step 1. 


For the generation of the primes p used as base fields GF (p) for the 


curves defined in this specification 


(and the corresponding twisted 


curves), the following values (in hexadecimal representation) have 
been used as initial seed s: 


Seed_p_160 for brainpoolP160r1: 
3243F6A8885A308D313198A2E03707344A409382 


Seed_p_192 for brainpoolP192r1: 
2299F31D0082EFA98EC4E6C89452821E638D0137 


Seed_p_224 for brainpoolP224r1: 
7BE5466CF34E90C6CC0AC29B7C97C50DD3F84D5B 


Seed_p_256 for brainpoolP256r1: 
5B54709179216D5D98979FB1BD1310BA698DFB5A 


Seed_p_320 for brainpoolP320r1: 
C2FFD72DBD01ADFB7B8E1AFED6A267E96BA7C904 


Seed_p_384 for brainpoolP384r1: 
5F12C7F9924A19947B3916CF70801F2E2858EFC1 


Seed_p_512 for brainpoolP512r1: 
6636920D871574E69A458FEA3F4933D7E0D95748 
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These seeds have been obtained as the first 7 substrings of 160-bit 
length each of Q = Pi*2“1120, where Pi is the constant 3.14159..., 
also known as Ludolph’s number, i.e., 


Q = Seed_p_160| |seed_p_192| |... | |seed_p_512| |Remainder, 
where || denotes concatenation. 


Using these seeds and the above algorithm the following primes are 


obtained: 
p_160 = 1332297598440044874827085558802491743757193798159 
p_192 = 4781668983906166242955001894344923773259119655253013193367 


p_224 = 2272162293245435278755253799591092807334073214594499230443 
5472941311 


p_256 = 7688495639704534422080974662900164909303795020094305520373 
5601445031516197751 


p_320 = 1763593322239166354161909842446019520889512772719515192772 
9604152886408688021498180955014999035278 


p_384 = 2165927077011931617306923684233260497979611638701764860008 
1618503821089934025961822236561982844534088440708417973331 


p_512 = 8948962207650232551656602815159153422162609644098354511344 
597187200057010413552439917934304191956942765446530386427345937963 
894309923928536070534607816947 


A.2. Generation of Pseudo-Random Curves 


The generation procedure is similar to the procedure given in FIPS 
PUB 186-2 [FIPS], Appendix 6.4, and ANSI X9.62 [ANSI1], A.3.2. 


For computing an integer x in the range 0 <= x <= 2° (L-1) - 1 from a 
seed s of 160-bit length, we use the algorithm find integer 2(s), 
which slightly differs from the method used for the generation of the 
primes. 


1. Set v = floor((L-1)/160) and w = L - 160*v - 1. 
2. Compute h = SHA-1 (s). 


3. Let h_0 be the bit string obtained by taking the w rightmost bits 
of h. 


4. Convert s to an integer z. 
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Ds 


For i from 1 to v do: 

A. Set z_i = (z+ti) mod 2160. 

B. Convert z_i to a bit string s_i. 
C. Set hi = SHA-1(s_i). 


Let h be the string obtained by the concatenation of h_0,...,h_v 
from left to right. 


Convert h to an integer x and output x. 


The following procedure is used to generate the parameters A and B of 
a suitable elliptic curve over GF(p) and a base point G from a prime 
p of bit length L and a 160-bit seed s. 


di 


2. 


10. 


11T. 


12 


Set h = find_integer_2(s). 
Convert h to an integer A. 


If -3 = A*Z“4 mod p is not solvable, then set s = update_seed(s) 
and go to Step 1. 


Compute one solution Z of -3 = A*Z“4 mod p. 


Set s = update_seed(s). 

Set B = find_integer_2(s). 

If Bis a square mod p, then set s = update_seed(s) and go to 
Step 6. 


If 4*A^3 + 27*B*2 = 0 mod p, then set s = update_seed(s) and go 
to Step 1. 


Check that the elliptic curve E over GF (p) given by y*2 = x*3 + 
A*x + B fulfills all security and functional requirements given 


in Section 3. If not, then set s = update_seed(s) and go to Step 
T; 
Set s = update_seed(s). 


Set k = find_integer_2 (s). 


Determine the points Q and -Q having the smallest x-coordinate in 
E(GF(p)). Randomly select one of them as point P. 
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13. Compute the base point G = k * P. 
14. Output A, B, and G. 


Note: Of course P could also be used as a base point. However, the 
small x-coordinate of P could possibly render the curve vulnerable to 
side-channel attacks. 


For the generation of curve parameters A and B, and the base points G 
defined in this specification, the following values (in hexadecimal 
representation) have been used as initial seed s: 


Seed_ab_160 for brainpoolP160r1: 
2B7E151628AED2A6ABF7158809CF4F3C762E7160 


Seed_ab_192 for brainpoolP192r1: 
F38B4DA56A784D9045190CFEF324E7738926CFBE 


Seed_ab_224 for brainpoolP224r1: 
5F4BF8D8D8C31D763DA06C80ABB1185EB4F7C7B5 


Seed_ab_256 for brainpoolP256r1: 
757F5958490CFD47D7C19BB42158D9554F"7B46BC 


Seed_ab_320 for brainpoolP320r1: 
ED55C4D79FD5F24D6613C31C3839A2DDF8A9A276 


Seed_ab_384 for brainpoolP384r1: 
BCFBFA1C877C56284DAB79CD4C2B3293D20E9E5E 


Seed_ab_512 for brainpoolP384r1: 
AFO2AC60ACC93ED874422A52ECB2 3 8FEEE5AB6AD 


These seeds have been obtained as the first 7 substrings of 160-bit 
length each of R = floor(e*2%1120), where e denotes the constant 


2.71828..., also known as Euler’s number, i.e., 
R = Seed_ab_160| |Seed_ab_192||...| |seed_ab_512| |Remainder, 
where || denotes concatenation. 
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